CVE-2012-1775: VLC MMS Support Stack Overflow

As we can see in the official security advisory here, this vulnerability was reported by Florent Hochwelker (also known as TaPiOn) and it affects all versions of VLC media player up to 2.0.1 release.
The bug is very straightforward and we can find it in the MMS module available in modules/access/mms/mmstu.c. Here is the exact code snippet.

It is quite obvious to notice the three vulnerable sprintf(3) calls using ‘tmp’ as the destination which is a statically allocated buffer with size of 4096 Bytes. The fix was to first replace the statically allocated buffer with a pointer:

var_buffer_t buffer;
- char tmp[4096];
+ char *tmp;
uint16_t *p;

And then use asprintf(3) instead of the insecure sprintf(3) to dynamically allocate the appropriate space for each string.

Metasploit project released an exploit module for this vulnerability written by sinn3r and juan vazquez. So, we will see how vlc_mms_bof.rb exploits the bug.

First we have the usual Metasploit initialization code…

require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info={})
super(update_info(info,
'Name' => "VLC MMS Stream Handling Buffer Overflow",
'Description' => %q{
This module exploits a buffer overflow in VLC media player VLC media player prior
to 2.0.0. The vulnerability is due to a dangerous use of sprintf which can result
in a stack buffer overflow when handling a malicious MMS URI.
This module uses the browser as attack vector. A specially crafted MMS URI is
used to trigger the overflow and get flow control through SEH overwrite. Control
is transferred to code located in the heap through a standard heap spray.
The module only targets IE6 and IE7 because no DEP/ASLR bypass has been provided.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Florent Hochwelker', # aka TaPiOn, Vulnerability discovery
'sinn3r', # Metasploit module
'juan vazquez' # Metasploit module
],
'References' =>
[
['CVE', '2012-1775'],
['OSVDB', '80188'],
['URL', 'http://www.videolan.org/security/sa1201.html'],
# Fix commit diff
['URL', 'http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commit;h=11a95cce96fffdbaba1be6034d7b42721667821c']
],

Since it exploits sprintf(3) it cannot use NULL Byte so this is configured as a bad character and the payload space is set to 1000. Also, you can see the default options for exit function and the initial auto-run script.